Re: [OAUTH-WG] New podcast on identity specifications

Brian Campbell <> Wed, 23 September 2020 22:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 17A363A154B for <>; Wed, 23 Sep 2020 15:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 49OxBwo08cYl for <>; Wed, 23 Sep 2020 15:40:26 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B6B13A151D for <>; Wed, 23 Sep 2020 15:40:25 -0700 (PDT)
Received: by with SMTP id y17so1648399lfa.8 for <>; Wed, 23 Sep 2020 15:40:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SqWH5xTyWQRigirkJVTAvo//IGHbWIT/DO1dOAlKF/o=; b=e4oTQ3eG6xlaPJKq7RdxmRCUKH5e8dkfVu2eP+rknnsw7xHmiIfXQFlkVzoFG/dKxJ 08H2FpgJYsotyEeOLPkU2e4TFRtkWOVIvK0WqPPK0KYsgfjkcKuZ/Z0S0Vlpv+sKsYvq 508as30lTcZHrqpS8OcObHlnfwuSkilweJ9mjusD4d3zvxcX8kzpFnsKFaIf/pnF6JFN Wth0I1TU3cOjtUe2cvZoKhN31i6zx1yhJZEt5vYviI2U7g3GiefZd0dm4yv9WFPW5Bwc 2sx66ut3eo54j/UsXxT/5xwLL7hlZw8SHGFEQ7IXrm8UJ2gqhrlm9DJh4Qbug3HmtXlg iHLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SqWH5xTyWQRigirkJVTAvo//IGHbWIT/DO1dOAlKF/o=; b=iXnS68+m9K1xWgvopPOObdHgSk0uO/zotCWGT/J1dMYdFVx2u0c/S4F0TB6mnkjM3A lQjZ+cygVqEBD7iXYvDpl5d4o8tcf1em1n1obergBwq78t1w26FKdyT1iWaK9zed3uYM LZj9+1imTfhBUolsNIdF0e256MV1SgRNtmCaAOU92ImhWvg2t0TcUk4UviiKCorvMsSN HFwqDtT5xH13gD8PE9edo+byFKJAUGqyIZu+uaGwig6n8ue9VMfYSSTk+R/R1rWdTLuk Nj3+XTORO0Mphpu7RhM2BlPd5KteIZDMVimy+pkloA4HxeEVzg2bRytANBEIizKsxm+7 Mbqg==
X-Gm-Message-State: AOAM532//SoHf6HdCxL5QeS/OFqPbEELlyFLbILhAFsmCJQXFOsqfZhD Szvihb8P9DvsTp+38asP6CbRFYhU84mgfsuCxIAfR3Qs0Oze4MFbNEb2AtinPHlBht/6o5IhluB la2AqF1qYshjPGQ==
X-Google-Smtp-Source: ABdhPJySbHpsIi+nMI2IKbxfr7G+6UGWOE6NGiM6o1Q3EAjs7WmJHSKiK+kJJ2dUm0EqfvNM2QY2gI+Vd8+yXNvQmDM=
X-Received: by 2002:a19:8703:: with SMTP id j3mr579387lfd.560.1600900823547; Wed, 23 Sep 2020 15:40:23 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Wed, 23 Sep 2020 16:39:57 -0600
Message-ID: <>
To: Denis <>
Cc: Vittorio Bertocci <>, Vladimir Dzhuvinov <>, oauth <>
Content-Type: multipart/alternative; boundary="000000000000e89c5705b002c4eb"
Archived-At: <>
Subject: Re: [OAUTH-WG] New podcast on identity specifications
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Sep 2020 22:40:30 -0000

Hello Denis,

The most recent version of the DPoP draft is not draft-fett-oauth-dpop-04
but rather draft-ietf-oauth-dpop-01, which doesn't expire until November. I
realize that the naming and versioning conventions of IETF documents are a
bit esoteric and can lend themselves to such mistakes. But someone who
insists on making unhelpful criticism of said documents should probably be
more mindful of such details.

This WG (and it's not the only WG where this has happened) has repeatedly
confirmed the rough consensus that these so-called collaboration attacks
are not something that DPoP, or any of the other documents you've said the
same about, is expected to address. Nor that there is even reason enough to
think that readers need to be told so. Your personal enthusiasm for the
topic does not change that and doesn't change the fundamental nature of how
OAuth works.

I am sorry to hear that you felt the podcast was too long. I can certainly
empathize with feeling like one's time has been wasted.

On Wed, Sep 23, 2020 at 3:38 AM Denis <> wrote:

> Hello Brian and Vittorio,
> I have two observations:
>    - draft-fett-oauth-dpop-04 which is the last version expired on 5
>    September 2020,
>    - the podcast as well as draft-fett-oauth-dpop-04 omit to mention the
>    client/user collaborative attack against which draft-fett-oauth-dpop-04 is
>    ineffective.
> Denis
> PS. The podcast is a nice effort but is far too long (29:37).
> The mTLS vs DPoP was good in articulating how the two specs are alike, how
> they differ and which particular type of app they are meant to serve.
> I'm saying this as a person who is generally allergic to technical
> podcasts :)
> Maybe every RFC that comes out of this WG should have a podcast link at
> the top, where the authors discuss it in simple, honest and non-speccy
> terms, because that's often how people are best able to perceive the spirit
> and subtleties of some technical or spec work.
> Vladimir
> On 21/09/2020 09:40, Vittorio Bertocci wrote:
> Dear all,
> This is an informal mail to inform you that there’s a new podcast
> <>,, dedicated to inform
> and explain new identity specs developments for developers.
> You can find a more detailed explanation of the podcast’s goals in
>, but
> the TL;DR is that the spec themselves aren’t all that easy to read for the
> non-initiated, and a lot of useful info emerges during the discussions
> leading to the spec but rarely surface in a usable form to the people who
> don’t participate in discussions.
> The first episode
> <>,
> featuring Brian Campbell discussing MTLS & DPoP, should give you an idea of
> what season 1 of the show will look like.
> The full list of the first run is available here
> <>.
> Of 6 episodes, 3 of them are about specifications coming out of this WG-
> and all guests are actively involved in the IETF.
> My main goals sharing this info here are
>    - *Letting you know that the podcast exists*, so that you can make use
>    of it if you so choose (e.g. referring people to it if they need to better
>    understand something covered in an episode)
>    - *Soliciting proposals for new episodes*: topics you believe are
>    currently underserved, topics you are often asked about, topics you would
>    like to be interviewed about on the show
>    - *Growing the show’s subscriber base*. I was able to get backing from
>    my company to produce a podcast that has exactly ZERO product pitches and
>    is purely about identity specs promotion, on the gamble that the topic does
>    have an audience finding it useful. So far the reception has been great,
>    and we need to keep it up if we want to have a season 2.
> I hope you’ll find the initiative useful!
> Cheers,
> V.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._